Law suits and data breaches

One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It’s interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.

The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was “actual or imminent, not conjectural or hypothetical.” That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I can understand both sides of the argument here, but after consideration I find myself siding with the judge. The idea of an individual suing on the grounds that lost/stolen information might just be used for an identity fraud at some point in the future is going too far. Imagine the consequences for TK Maxx or even HMRC if this were to become normal practice following any data breach. I think it's the regulators who have the obligation to intervene at the time of the breach, by imposing appropriate fines and stipulating corrective actions. Class actions can follow if the breach leads to a provable loss. Allowing class actions at the time of a breach is a recipe for printing money, as there will always be breaches.